Hibernate log4j.properties print DB uname & pass

Question

My story is as follows. I have a java app with hibernate connected to a embedded db(derby). The funny thing was, that my hibernate app printed the uname at start, because i was using slf4j-simple, and so i set my App to use log4j.

Hibernate db uname&pass are set in code, using property object. I tried using the same trick on log4j property configurator, but the log4j.properties file overide my property object. But the log4j.properties file is easily changed, and the main quiestion is. Can log4j be set to print my db uname&pass, or any of the sensitive data used in my Hibernate config in the App???

Answer 1

If I understand you correctly... that your hibernate app is making calls (either directly or indirectly) to one of the logger functions (debug, warn, error, info, etc) and passing the username/password as the parameters...

Then, YES, absolutely log4j can be configured to print uname & pass. And, YES, you can "set the logger in log4j."

Moreover, doing either would be rather easy. You can modify the root logger to display all logging calls throughout the entire application (including the libraries).

---

The bottom line, if the uname/pass are set in code, in plain text, getting it out is trivially simple (log4j isn't the only way), even without access to the source *.java files.